How Can Organizations Prevent Lateral Movement Attacks By Harnessing Risk Analysis And MFA?

In a world that has grown accustomed to the inevitability of initial compromise, lateral movement is becoming the new battleground. The perimeter has dissolved, and a new attack surface has been exposed. Yiftach Keshet, director of product marketing at Silverfort, looks at how risk analysis and MFA can help prevent lateral movement attacks.

Starting at an initial toehold on a single machine – lateral movement is a critical phase for attackers looking to reach sensitive and vital systems. It allows them to hop from machine to machine to position themselves for maximum impact eventually. 

So, what do cybercriminals do when they perform lateral movement attacks – and what can be done to defend against them?

How Does Lateral Movement Take Place?

Lateral movement is how attackers move from one technical resource in a network to another with the ultimate aim of reaching a target machine.  

It all starts with a single machine being compromised. Nowadays, ‘patient zero’ is compromised in a number of ways – typically using malware or exploits. After achieving this beachhead, an attacker will begin their movement across the network by abusing a ubiquitous access management tool present in every network for many years: credentials.             

Because of this critical role in deciding access, credentials are a powerful tool when manipulated by malicious hands. Attackers abuse these to jump between machines, escalating privileges as they go to achieve greater access until they arrive at target locations to drop payloads, steal data or control other critical assets. 

Practically, this is achieved using several techniques, many of which have been around for some time. First, every machine in an environment stores passwords, hashes and usernames in system memory. These can be extracted using relatively straightforward memory dumping techniques and tools – often yielding greater access levels for an attacker. Once credentials are dumped, they are used to establish subsequent connections with new machines – a process repeated until the necessary level of access is achieved. Attackers also have another technique in their arsenal in the form of privilege escalation vulnerabilities – leveraging issues with infrastructure to elevate permissions.  

Whereas these types of ‘hands-on-keyboard’ approaches were once the preserve of more advanced threat groups, they have, over time, become more widespread. As with anything in cybersecurity – the tactics and techniques to carry out such attacks are in the public domain, and free tools are abundant. With know-how and software no longer centralized inside well-resourced attack groups, the lateral movement has become mainstream. 

See More: Defend and Protect: Outwitting Cybercriminals

What Are The Primary Lateral Movement Detection Challenges?

The primary detection challenge is that lateral movement has a shallow footprint. Attackers live off the land, requiring few or no external resources. They achieve their goals by subverting the minutiae of everyday systems and processes. This they do in a ‘slow and low’ manner, staying in the shadows, so no anomalous processes are being executed for risk controls to detect. 

In fact, during this phase of an attack – usually, the only processes used by an attacker are those that have been run inside the organization many times before and are, to some extent, highly trusted. 

Another factor contributing to this low footprint is that an attacker is directly abusing the very thing designed to be an arbiter of trust by subverting identity to move around networks. With the right tools and techniques, a threat actor can therefore assume the identity of a fully privileged administrator. Their actions are implicitly trusted and, therefore, not flagged as malicious.       

Hybrid environments also present detection challenges for lateral movement. Modern identity is messy – a mix of legacy on-premise identity directories and multiple cloud-based IdPs.  As organizations grow, the platforms delivering identity have dispersed and diverged, creating gaps in visibility. These blind spots play into the hands of attackers who disappear from logs and stay off the radar of the multitude of risk mitigation features across each separate platform.      

The final challenge to stopping such attacks is an inability to act. The best that most countermeasures can hope for is alerting security teams to trace evidence of a threat actor transitioning through their network. However, this often comes too late to prevent movement – leading to either a high-stakes cat-and-mouse game or a scramble at the tail end of an attack chain to prevent payloads from being deployed.  

How Can Any Organization Achieve Prevention of Lateral Movement Attacks?

Having visibility of identity is the first step to stopping lateral movement. While historically a difficult thing to achieve, capturing, analyzing and understanding an entire environment’s identity data is now possible and can provide a valuable window into lateral movement. By mapping this against known risk indicators and behaviors, security teams can benefit from a vastly improved understanding of their risk.   

Deploying proactive authentication on highly targeted elements of the internal attack surface is another weapon in the fight to prevent lateral movement. This means wrapping MFA around everything from access interfaces like PsExec and Remote Powershell to enterprise resources such as legacy applications and critical IT infrastructure. A proven approach to managing access, multifactor authentication will drastically increase friction for any malicious actor looking to move around.  

See More: A Guide to Stopping Global Cyber Crime at the Local Level

As importantly, this should all be achieved across the disparate modern environment. Only with a holistic approach to identity security that can see the entirety of today’s hybrid workspace on-prem and in many different clouds can we remove the blackspots that attackers leverage.  

Stopping lateral movement suffocates attacks before they have a chance to take root. However, this is something that can only be achieved by an organization shifting its mindset on identity and closing down the opportunities it presents for abuse. Done in this way, threat actors are stifled, and patient zero stays at zero.

How are you upgrading your stance against lateral movement attacks? Share with us on Let us know on FacebookOpens a new window , TwitterOpens a new window , and LinkedInOpens a new window .

Image Source: Shutterstock 

MORE ON MFA 

• Five Reasons Why Switching to Multi-Factor Authentication is the Need of the Hour
• What Is Multi-Factor Authentication? Definition, Key Components, and Best Practices
• Why MFA Rules, Dark Web vs. Deep Web & More in this Week’s Top Reads